Synthetic Identity Fraud
What Is Synthetic Identity Fraud?
Synthetic Identity Fraud (SIF) is fraud involving the use of a fictitious identity. Fraudsters typically create false or “synthetic” identities by combining stolen or fictitious Social Security Numbers (SSNs) with false personal information. They create these new identities for a variety of reasons, such as obtaining credit cards and loans, opening deposit accounts, and obtaining driver's licenses and passports.
SIF is significantly different from traditional identity fraud. In traditional identity fraud, a fraudster pretends to be another real person and uses their credit. Traditional identity fraud tends to be reported relatively quickly, as most victims notice when unauthorized transactions are made on their accounts. SIF, on the other hand, can go on undetected for months or years, as there is no immediate victim.
- Fraud for nefarious activities - This is the category that results in most of the financial losses and poses the greatest threat to the financial system, government programs, and national security. Fraud for nefarious activities refers to a deliberate, organized, and sometimes large-scale scheme to liquidate credit accounts, launder money or fraudulently obtain government benefits. Criminals use these large-scale schemes to fund organized crime, terrorism, and other illicit activities.
- Fraud for a living - Some forms of synthetic identity fraud are not motivated by the desire to steal money. An individual may assume a synthetic identity to make it easier to live or work in the U.S. There are some cases involving undocumented immigrants who use invented or stolen SSNs to obtain financial services. While still a form of fraud, these synthetic identity thieves aren’t looking to steal money from financial institutions. They just want a recognized SSN to facilitate getting paid, and to have access to bank accounts and credit cards for making payments and purchases.
- Fraud for credit repair - An individual creates a false identity using a stolen or fake SSN combined with their real name to build an alternate credit history. This is often done through less-than-reputable credit repair agencies that offer loans and credit lines with little or no identity verification.
Reasons for growth
- Randomization of SSNs - Social Security Numbers issued before 2011 consisted of a three-digit geographic number, a two-digit age group number, and a four-digit serial number. SSNs issued since 2011 are a series of random numbers with no geographical or group identifiers. This randomization makes it harder for financial institutions to match a SSN with an applicant’s place and date of birth. Before 2011, the Social Security Administration (SSA) published a list of all SSN geographic and group numbers ever issued, which allowed financial information to spot fake SSNs relatively easily. This type of list is no longer produced.
- More compromised Personally Identifiable Information (PII) available - In the past 10 years, there have been a number of major data breaches, making hundreds of millions of individuals’ PII available for sale on the dark web. Accordion to the Federal Reserve, between 2017 and 2018 alone, more than 446 million records containing PII were exposed. Dark websites sell these breached records, which often include SSNs.
- Use of SSNs as a primary identifier - SSNs were originally created to track individuals’ earnings and benefits, but have evolved into the main way that public and private organizations determine that an individual is legitimate.
- Gaps in the credit process - The way credit is established in the U.S. contributes to the proliferation of SIF. The first time a fraudster applies for credit at a financial institution using a synthetic identity, they will usually be turned down, but the credit bureau automatically creates a new credit profile. This new credit profile becomes the synthetic identity’s so-called “proof” of existence. The credit bureau assumes that the first applicant using a particular SSN is legitimate.
- Increased use of electronic credit applications - With the increase in online banking, it has become more common for people to apply for bank accounts, credit cards, and loans online. This does not give a lender the opportunity to perform basic Know Your Customer (KYC) checks, nor to use the existing SSA Consent Based Social Security Number Verification service, which requires a “wet” (written on paper) signature.
How Fraudsters Create Synthetic Identities
Typically, fraudsters will use a real Social Security number (SSN) and pair it with a name not associated with that number. Synthetic identities are often constructed using stolen SSNs belonging to children since they have been issued since 2011 and the fraudulent use of their SSNs probably won’t be discovered for years — until the legitimate SSN owner is applying for credit or employment sometime in the future. Children’s SSNs are 51 times more likely to be used in synthetic fraud schemes than adults. More than one million children were victims of identity theft or fraud, including SIF, in a single year. When a child whose SSN has been compromised becomes “credit active”, they will face an uphill battle proving:
a) that the SSN actually belongs to them; and
b) that they weren’t the person whose activities were charged off.
Although used less frequently than children’s SSNs, fraudsters may also use SSNs of elderly people, people in prison, homeless people, and sometimes even people who are deceased. In other cases, a fraudster may create a completely fake identity with a non-existent SSN, name, date of birth, and address.
Some fraudsters take additional steps to make their synthetic identities seem legitimate. They apply for phone numbers, set up email and social media accounts, are active on social media using their synthetic identities, and in some cases hack into and add their synthetic identities to public databases used by financial institutions to verify identity information.
In some cases, fraudsters may set up an artificial company. After the company is established, the fraudster creates fabricated employee identities.
How Fraudsters Get Credit for Their Synthetic Identities
Applying for credit at a bank - Once the fraudster has created a synthetic identity, they apply for credit at a bank. Since there is no credit history, they will generally be turned down the first time, but by applying, a credit profile is created for the synthetic identity. The fraudster then applies to other lenders until one of them approves them for a small amount of credit. As an example, they may get a credit card with a limit of $500. They use the credit card for a few months, paying it off each month, to establish good credit. They will then apply for credit cards with higher limits or other types of credit.
Piggybacking on a legitimate account - Fraudsters actively recruit credit card holders with good credit to add an authorized user to their account. This authorized user is a synthetic identity. The fraudster doesn’t attempt to use the synthetic identity while piggybacking. They just let it sit idle for 2-3 months. This gives the credit reporting agencies time to report on the credit of the synthetic authorized user, and the credit rating they receive is generally based on the credit rating of the credit card holder. Once the synthetic identity has received a favorable credit rating, the fraudster will remove it from the account of the original credit card holder and will use the synthetic identity to apply for its own credit cards and loans.
The Pay-Off - Fraudsters may use their synthetic identities’ bank accounts, credit cards and loans responsibly for months or even years in order to build up their credit score and history. After paying off balances regularly over a period of time, their credit score improves and they can apply for a higher credit limit. At a certain point, they max out the credit cards and loans with no intention of repaying them. This is known as credit bust-out fraud or sleeper fraud.
Some fraudsters use their synthetic identities to “bust out” more than once. They max out their synthetic identities’ credit cards and loans, then claim they were subject to identity theft to convince financial institutions to reverse charges and reopen credit lines.
Being patient and playing the long game can be very lucrative for fraudsters. One fraud ring in New Jersey built up 7,000 credit profiles in a scheme that created over $200 million in fraud losses.
Go Beyond Know Your Customer (KYC) Protocols
Know Your Customer (KYC) is a general term used for identity verification of customers before developing any business relationship with them. To comply with KYC laws, financial institutions (and others) are required to develop customer identification processes and verify their customers on a regular basis.
KYC checks are a starting point, but there are often gaps in lenders’ KYC protocols. A recent study found that only half of synthetic identity credit applications were made online, indicating that a significant number of fraudsters are able to pass KYC checks even when applying in person.
Between weak KYC protocols and traditional, manual processing procedures, once accounts are opened, synthetic identities can go undetected for months or years. To complicate matters further, synthetic identity profiles generally have strong credit scores, so there tend to be fewer red flags during credit underwriting and credit checks.
Watch for Red Flags
There are a number of red flags to watch for while processing credit applications or monitoring customer activity. Some may be identified manually; others may require link analysis processes or fraud analytics systems. Focusing on any one characteristic could lead to false positives or misidentifying certain types of legitimate customers, such as recent immigrants with short credit histories. It is important to look across multiple characteristics and data sources to identify synthetic identities.
- The SSN can’t be matched to the specific customer.
- The SSN matches to a different individual, while no credit file is available for the requested applicant.
- The SSN matches to a different individual. A credit file is available for the name and address provided, but the SSN on that file is different from the SSN provided on the application.
- The applicant’s credit file depth is inconsistent with the customer’s age or other profile information.
- There are multiple identities with the same SSN.
- There are multiple applications from the same phone number, mailing address, email address or IP address.
- The SSN was issued after 2011.
- There are multiple authorized users on the same account.
Participate in the eCBSV Service
The Social Security Administration (SSA) recently launched a new service, electronic Consent Based Social Security Number Verification (eCBSV), for financial institutions to help with fraud protection data. eCBSV allows financial institutions to verify if an individual’s SSN, name, and date of birth combination match Social Security records. The SSA introduced the original Consent Based Social Security Number Verification (CBSV) service in 2008. This service enables paid subscribers, upon written consent from the SSN holder, to verify that a name, SSN, and date of birth combination matches (or does not match) the SSA’s records. However, this service is paper-based and does not offer real-time verification.
The fee-based eCBSV works largely the same way as the original service, but will allow individuals to provide consent electronically rather than with a “wet” signature, and will allow financial institutions to validate the information in real-time. eCBSV returns a match verification of “Yes” or “No.” If its records show that the SSN holder is deceased, eCBSV returns a death indicator. The eCBSV service only allows for customer information validation for new accounts.
The service was initially rolled out to select institutions in June 2020 and is being made available to more financial institutions from 2021 on.
In a recent Government Accountability Office (GAO) forum, subject matter experts stressed the importance of sharing information, both internally and across the payments industry.
Within your company - It is recommended that financial institutions work to break down internal barriers to facilitate sharing of information across product lines. Synthetic identity fraudsters usually open multiple accounts at the same institution. If a synthetic identity has a credit card, it may also have a direct deposit account, car loan, mortgage, and/or line of credit. If the identity busts out on one account, it is likely to bust out on other accounts around the same time. Connecting all accounts owned by the same synthetic identity helps minimize losses.
Among financial institutions - Section 314(b) of the USA Patriot Act allows participating financial institutions to share customer information with one another in support of their own due diligence, compliance, and reporting requirements. Section 314(b) also allows for sharing of information that relates to money laundering and terrorism. Some instances of SIF may be for these purposes, but it is a bit of a legal gray area.
Talk to your legal counsel before sharing suspected synthetic identity information outside your company.